Microsoft Entra ID (Azure AD) User Sync

Microsoft Entra ID (Azure AD) User Sync

Asset Explorer enables you to import users from Microsoft Entra ID (Azure AD) based on certain criteria. You can map Azure AD user fields with Asset Explorer fields to import specific user details.
You can also automatically sync deleted users from Microsoft Entra ID to Asset Explorer.
Role Required: Organization Admin for ESM Setup; SDAdmin for non-ESM setup
 
Asset Explorer only reads user information from Azure via API and does not modify data in Azure. 
Please disable AD import for domains with Microsoft Entra ID sync configured.

Prerequisites  

Configure Microsoft Entra ID

To obtain user and group information from Azure AD, create an App registration with the required permissions. Follow the steps below to register the application.
Role Required: Global Administrator
  1. Log into Azure.
  2. In the left pane, select Microsoft Entra ID.
  3. On the Microsoft Entra ID page, select App registrations from the left pane, and click New registration.
  1. Provide a name for the application.
  2. Select the supported account types for the application. This determines who can access the application.
Note that Accounts in this organizational directory only option must be selected to sync users from Entra ID. 
  1. Click Register to save the application.
  1. In the registered application, you can find the Client ID and Token URL in Asset Explorer.
    1. Client ID: Application ID in the Overview section.
    2. Token URL: OAuth 2.0 token endpoint (v2) under Overview > Endpoint.
  1. To get the Client Secret, go to Certificates & Secrets > Client Secret > New client secret.
  2. Provide a description of the client secret and choose its validity.
  3. Click Add.
  1. Update permissions required for user sync in the registered application:
    1. Go to API permissions and click Add a permission.
    2. Select Microsoft Graph > Application permissions
    3. Add permissions User.Read.All and Group.Read.All
Group.Read.All permission is required to list Azure user groups when setting criteria. If you do not require group-based criteria, this permission is not necessary. 
Grant admin consent for the added permissions.

Configure User Sync 

Set up Microsoft Entra ID integration for user synchronization under ESM Directory > User Management > Microsoft Entra ID (Azure AD) for ESM setups.
 
For non-ESM setups, access Microsoft Entra ID (Azure AD)  under Admin > Users & Permissions.
 
Follow these steps to configure user import from Microsoft Entra ID:

Step 1: Add Domains

Add domains to sync users from Microsoft Entra ID. You can set up multiple domains with different field mapping and criteria for importing users.
  1. Go to the Microsoft Entra ID (Azure AD) page in Asset Explorer.
  2. Under Domain Details, click Add New Domain.
  3. In the Add Domain pop-up, enter the following details:
    1. Domain Name: Name of the domain.
    2. Client ID: Azure application ID
    3. Client Secret: Client secret value in Azure.
    4. Token URL: Link to the Azure endpoint to obtain the access token.
  4. Click Save and Test Connection.
 
Refer here to obtain Client ID, Client Secret, and Token URL from Azure.
After the test connection is successful, the Field Mapping and User Import Settings section will appear in the Add Domain pop-up.
 

Step 2: Field Mapping

Map user detail fields for synchronization from Microsoft Entra ID in the Add Domain pop-up.
  1. In the drop-down fields displayed, select the Asset Explorer fields and map them to the corresponding user fields in Microsoft Entra ID.
  2. On selecting field names from the Asset Explorer column, the relevant Microsoft Entra ID fields will be automatically mapped. You can change the mapping of Microsoft Entra ID fields as required.
  3. Add or remove fields using the and icons.
 
InfoName and Login Name fields are mandatory for fetching Azure users and cannot be removed .
The Reporting To field can be mapped only to the manager field in Azure AD. 
Object ID, userPrincipalName, onPremisesUserPrincipalName, onPremisesDomainName, and onPremisesSamAccountName are imported by default. 
Additional fields can also be used for field mapping in Asset Explorer.
 

Step 3: User Import Settings

Schedule the user import for periodic sync or import users manually in the Add Domain pop-up.
  1. Scheduled Import:
    1. In the Schedule Configuration tab, choose to import users with or without criteria.
    2. Without Criteria: Imports all users automatically at the scheduled time.
    3. Based on Criteria: Imports users based on specified criteria. Select the criteria from the available drop-downs.
  1. Manual Import:
    1. In the Import Once tab, enter the User Principal Name of users in the text box. You can import up to five users at a time.  
    2. Click Import Now. This import will be executed instantly without any scheduling, and the count of added, overwritten, and failed records will be displayed.
When adding new users, the user's manager will be automatically included as a user. To prevent this, remove the manager field in the Field Mapping section.
When field mapping or user import criteria are changed, full import will be initiated for the next delta sync.
 

Step 4: Set a local authentication password for imported users   

Set a default local authentication password for users imported from Microsoft Entra ID. Users can change this password after their first login.
  1. In the Microsoft Entra ID (Azure AD) page in Asset Explorer, hover over the Local Authentication Password section, and click Edit.
  2. Generate a random password for each user or set a predefined password.
  3. Click Save.

Ensure that the predefined password meets all password policy requirements. 
Users will receive their password details via email.  Configure email notifications for users under Admin > Automation > Notification Rules > Request > Send Self-service login details.
You can mandate users to update the default password after their first login under Admin > Security Settings >  Password Policy for non-ESM setups and ESM Directory > Security Settings > Password Policy for ESM setups.
The local authentication password set for AD imported users is also applicable for users imported from CSV files. 
 

Step 5: Schedule Microsoft Entra ID import  

Schedule user import to synchronize user details periodically. Users and their details are synchronized with Asset Explorer in two ways:
  1. Full Import: Syncs all user data.
  2. Delta Import: Syncs updated user details and newly added user accounts every hour.
When the schedule is enabled, both Full import and Delta import are automatically enabled. To enable the import schedule,
  1. On the Microsoft Entra ID (Azure AD) page in Asset Explorer, hover over the Import Schedule field, and click Edit.
  2. Enable the schedule using the check box and specify the import frequency.
  3. Set the start date and time for the schedule.
  4. Click Save.
 
The users will be imported per the schedule, and the user information will be updated every hour. You can view the last import time and the next scheduled time in the Import Schedule section. 

The import summary will be notified to the Organization Admin (for ESM setup) and SDAdmins (for non-ESM setup) through bell notifications. It can be viewed under , and will display the count of users added, updated, and failed. Additionally, a CSV file containing the User Principal Name of the failed users will be included.


User accounts may be overwritten if they meet specific conditions. Learn more.
During delta sync, only import failures will be notified to the SDAdmin/Organization Admin. 
Please perform a full sync at least once every 30 days to ensure that user details are up to date. 

Step 6: Sync deleted users from Active Directory  

 
Configure what happens to the user data in Asset Explorer when they are deleted in Microsoft Entra ID.
 
You can either delete the users automatically or manually. Deleted users will be synced with Asset Explorer during the configured full import schedule.
 
To configure the syncing of deleted users,
  1. On the Microsoft Entra ID (Azure AD) page in Asset Explorer, hover over the Sync Deleted Users section, and click Edit.
  2. Choose your deletion method: Automatic or manual. Note that automatic deletion is  applicable only to non-technician users.
  3. Click Save.
If manual deletion is chosen, the SDAdmin/Organization Admin will receive a bell notification and a list of deleted users will be displayed upon clicking the notification.
If automatic deletion is chosen,
  1. Non-technicians will be automatically removed, and a bell notification indicating the number of deleted users will be sent to the SDAdmin/Organization Admin. Clicking the notification will open the system log with the deleted user information in a CSV file.
  2. Technicians will not be deleted automatically. Instead, the SDAdmin/Organization Admin will receive a bell notification and a list of deleted users will be displayed upon clicking the notification.

Additionally, the link to the deleted users list will be displayed on the Microsoft Entra ID page in Asset Explorer and also under Admin > Users & Permission > Users/Technician tab. The SDAdmin/Organization Admin can review the list before removing the users from Asset Explorer.
 

Criteria to Overwrite User

The user will be overwritten if:
  1. ObjectID of an Azure user matches an existing user.
  2. onPremisesUserPrincipalName or onPremisesImmutableId of the Azure user matches the existing user's userPrincipalName or lookup_guid, respectively.
  3. OnPremiseDomainName and OnPremiseSamAccountName of the Azure user matches the domain name and login name of the existing user.
  4. Login name and the domain name of the Azure user match the existing user's login and domain name.
  5. Login name of the Azure user matches the login name of the existing user, but the domain is not associated with that user.
  6. Override user information based on email ID is enabled, and the email ID of the Azure user matches the email ID of the existing user.
This option can be enabled/disabled under General Settings > Advanced Portal Settings in non-ESM setups and ESM Directory > General Settings > Application Settings in ESM setups. 
If none of the above criteria are met, a new account will be created for the Azure user.

onPremisesUserPrincipalName, onPremisesImmutableId, OnPremiseDomainName, OnPremiseSamAccountName fields will be available in Microsoft Entra ID only for users synced from OnPremise Active Directory.
Refer to the following Microsoft documentation to learn more about synching users from OnPremises Active Directory: 

 
 

    • Related Articles

    • Microsoft 365 Integration

      Integrating Microsoft 365 (formerly Office 365) with AssetExplorer allows technicians to view and manage the subscriptions purchased from Microsoft by the organization. Since PowerShell is used to execute commands and fetch subscription/license ...

    • Overview - Microsoft 365

      This section will be accessible only if Microsoft 365 is integrated. Click here to know more. View and manage data synced from Microsoft 365 under Software > Microsoft 365. The details fetched from Microsoft 365 are displayed in the following tabs: ...

    • Configure Azure as the Identity Provider

      Role Required: SDAdmin Follow the steps below to configure AssetExplorer as a service provider in Azure. Before configuring, ensure that the AssetExplorer runs in HTTPS mode. Log in to your Azure domain. Under Azure Services, click Enterprise ...

    • Importing User-Defined Fields

      Role Required: SDAdmin You can import default user attributes such as the login name, distinguished name, and domain name fields. Other user attributes such as phone, mobile, department, office, jobTitle, and email are mapped to LDAP attributes in ...

    • Schedule AD import

      Role Required: SDAdmin You can schedule Active Directory import at regular intervals to keep your user repository in sync with the Active Directory. When you schedule an AD import, data from all domains in the application is imported at the specified ...